TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM

Slides:

Advertisements

Similar presentations

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.

Advertisements

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.

Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

Second Annual Meeting of the Romanian Tier-2 Federation RomanianGRID CA STATUS Cosmin Nistor; Alexandru Bobe Romanian Space Agency (ROSA)

User Certificate Application: ASGCCA. Agenda Introduction ASGCCA User Responsibilities Certificate application form RA verify identity of users User generate.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.

Academia Sinica Grid Computing Certification Authority (ASGCCA)

KFKI RMKI CA Review EUGridPMA May 26-28, Copenhagen Szabolcs Hernáth MTA KFKI RMKI pki.kfki.hu.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.

APGrid PMA face-to-face meeting, 9/16/2008 PRAGMA-UCSD CA Team Pacific Rim Application and Grid Middleware Assembly

0 NAREGI CA Status Report APGrid F2F meeting in Singapore June 4, 2007 Rumiko Masuko.

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Latin American Catch-all Grid Certification.

Egypt Certification Authority Dr. Ayman Bahaa-Eldin EUN Director 8 May th EuGridPMA meeting, Germany.

NIIF CA Status Update and Self-Audit Results 15 th EUGridPMA meeting Nicosia Tamás Máray NIIF Institute.

Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.

PKI for improved cybersecurity in NATO Partner countries Software Arsen Hayrapetyan, ArmeSFo CA.

HKU Computer Centre Grid Certificate Authority Status Update Lilian Chan IT Services, The University of Hong Kong APGrid.

FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,

BG.ACAD CA HTTP :// CA. ACAD. BG S ELF - AUDIT REPORT 2014 Vladimir Dimitrov IICT-BAS ( 32 nd EUGridPMA Meeting Poznan, 8-10.

Summary of Poznan EUGridPMA32 September EUGridPMA Poznan 2014 meeting – 2 David Groep – Welcome back at PSNC.

18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.

GRID-FR French CA Alice de Bignicourt.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

NECTEC-GOC CA A Brief Status Report 13 th APGrid PMA Face-to-Face meeting March 24 th, 2014 Large-Scale Simulation Research Laboratory Information Communications.

Feyza Eryol TÜBİTAK ULAKBİM TR-GRID CA SELF-AUDIT & UPDATES.

UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.

HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.

Armenian e-Science Foundation Certification Authority Ara A. Grigoryan 1,2, Artem Harutyunyan 1,2,3, Arsen Hayrapetyan 1,2,4 1 Armenian e-Science Foundation;

29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.

TNGrid CA 24 th EUGridPMA meeting Ljubljana, Slovenia, January, 2012 Heithem ABBES Mohamed JEMNI

H I A S T HIAST GRID CA 21 th EUGridPMA meeting Utrecht, January, 2011 Ghassan SABA Houssam ABED

Self-Audit & Status Report for KEK GRID CA Hiroyuki Matsunaga KEK (High Energy Accelerator Research Organization), Computing Research Center APGridPMA.

PKGrid CA Self-Audit 2012 Adeel-ur-Rehman Mansoor Sheikh.

IRAN-GRID CA Self Audit IRAN-GRID CA Self Audit Report Shahin Rouhani IRAN-GRID Tehran Iran Shahin Rouhani Grid Computation Group IPM, Tehran, Iran May.

AEGIS Certification Authority

Classic X.509 AP updates (v4.1)

UGRID CA Sergii Stirenko, Oleg Alienin

Guidelines for auditing Grid CAs

MaGrid CA Self audit and update

Emir Imamagić University Computing Centre (Srce)

Bill Yau HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau

MyIFAM CA Self-Audit Report APGridPMA F2F Meeting 1/4/2019

HKU Grid Certificate Authority (HKU Grid CA) CP/CPS Reviewer’s Comments Bill Yau

KISTI CA Report Status & Self-Audit

BG.ACAD CA Self-audit report 2018

Presentation transcript:

TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM )

General information Current status of CA (updates & statististics) Self-auditing results What has been done so far after auditing? Conclusion Overview 2 September EUGridPMA Marrakesh Meeting

TR-Grid CA is a traditional X.509 PKI CA with an offline issuing CA configuration. It was accredited at 5th EUGridPMA Meeting in Poznan, in September It provides x509 certificates for academic research and educational activities in Turkey: So far only used by TRUBA users and hosts in grid activities. From TR-GRID(Turkish National Grid Infrastructure) to TRUBA(Turkish Sience e-Infrastructure) It is located in Ankara and managed by TUBITAK- ULAKBIM.Introduction 3September EUGridPMA Marrakesh Meeting

TR-Grid CA self-audit was presented in Amsterdam, in January 2008 CP/CPS had been re-written in RFC 3647 All necessary corrections/clarifications had been done in CP/CPS Openssl configuration updated/corrected The online CA repository updatedUpdates 4September EUGridPMA Marrakesh Meeting

●TR-Grid CA root certificate was re-generated in September ●With the same key, the new validation dates and new extensions ●The following reference documents were used: ●IGTF-AP-Classic v4.2 ●Grid Certificate Profile (GFD.125) ●CP/CPS updated. ●Openssl configuration updated to guarantee that all certificates and CRLs issued with the accurate profile. ●The information on TACAR was updated. Updates - 2 5September EUGridPMA Marrakesh Meeting

CA: So far around 990 certificates issued. So far around 200 certificates revoked. Currently, about 200 valid user certificates available. Currently, about 30 valid host certificates available. RA: Currently there are 4 RA centers: 1 main + 3 regional Ankara (main), Kayseri, Adana, Denizli. Identity validation is performed by video conference where geographical location of the subject is remote. Statistics 6September EUGridPMA Marrakesh Meeting

●Guidelines for auditing Grid CAs version 1.1 (October 28, 2010) is used. ●Reference documents: ●IGTF-AP-Classic v4.3 ●Grid Certification Profile (GFD.125) ●Private Key Protection Guideline v1.1 (September 21, 2010) General Auditing Impression: ●There are some issues which should be in different sections in CP/CPS. ●Certificates and CRLs are issued properly as stated in references. ●The archives of the all records are not well organised, they need to be in an auditable form. Self Auditing 7September EUGridPMA Marrakesh Meeting

52 items with score A (good) 10 items with score B (minor change) 1 items with score C (major change) 0 items with score D 3 item with N/A Self Auditing Results 8September EUGridPMA Marrakesh Meeting

Records Archival (12) – The CA is responsible for maintaining an archive of these records in an auditable form Documentation is OK but it is not well organised in practical. All records are stored in different areas –Especially s Action: All records will be organised in an auditable form at the end of this year. C – major change 9September EUGridPMA Marrakesh Meeting

3.1.2 CA System(7) –The CA system is a dedicated machine, but this is placed in section in CP/CPS. Action: It has been added to section too CRL(29,30) –The CA issue a new CRL at least 7 days before expiration, but this is placed in section 2.3 in CP/CPS. –The new CRL issued immediately after a revocation, but it is placed in section 2.3 in CP/CPS. Action: It has been added to section too. B – minor change 10September EUGridPMA Marrakesh Meeting

3.1.6 CRL(32) –The CRLs are compliant with RFC 3280 which was the obsoleted version of the Action: The CRL structure and extensions are checked. They are compliant with RFC It has been corrected in CP/CPS document End Entity Certificates and Keys(40,42) –Certificates are re-keyed and this is placed in web page of the CA, but it is not placed in an user manual. –Certificates must not be re-keyed consecutively for 5 years without identity verification is applied in practice, but does not exist in a user manual. Action: It will be added to the wiki page as an user manual. B – minor change 11September EUGridPMA Marrakesh Meeting

Compromise and Disaster Recovery(55) –The CA must have compromise and disaster recovery procedure. The compromise procedure is placed in section 5.7.1, but disaster recovery is not. Action: The disaster recovery procedures are added to the CP/CPS document RA Entity Identification (1,4) –The role of RA are described in different sections. –The RA should ensure that the requestor is appropriately authorized by the owner of the associated FQDN. Action: They have been added to the section B – minor change 12September EUGridPMA Marrakesh Meeting

RA Entity Identification (6) –CA or RA have documented evidence on retaining the same identity over time. This has been done in practical, but does not exist in section Action: It has been added to the section B – minor change 13September EUGridPMA Marrakesh Meeting

●All corrections/clarifications have been done in CP/CPS. ●The wiki page is designed to be updated for local users as an user manual ●We have started to collect logs to organise. First actions done after auditing.. 14September EUGridPMA Marrakesh Meeting

Auditing document is really useful and comprehensive enough for its purpose Auditing was a good chance to address the recommendations of Grid Certificate Profile. Each self-audit is an experience chance to corrected the CP/CPS document and certificate profiles. chance to follow the improvements Conclusion 15September EUGridPMA Marrakesh Meeting